Overview
Singapore's PDPA governs how organizations collect, use, disclose, and protect personal data. It has been in force since 2012 and got major updates in 2020 and 2021. The Personal Data Protection Commission enforces it.
The 2021 changes brought mandatory data breach notification, raised fines to $1 million SGD or 10% of annual turnover in Singapore (whichever is higher), and broadened the deemed consent provisions. If you handle personal data in Singapore, this Act applies to you.
Data Protection Obligations
| Obligation | Description |
|---|---|
| Consent Obligation | Get valid consent before collecting, using, or disclosing personal data for specific purposes |
| Purpose Limitation | Only collect, use, or disclose data for purposes a reasonable person would accept |
| Notification Obligation | Tell people why you're collecting their data and how you'll use it |
| Access Obligation | Give individuals access to their data and information about how you've used it in the past year |
| Correction Obligation | Fix personal data when someone submits a valid request |
| Protection Obligation | Put in place reasonable security arrangements to protect personal data |
| Retention Limitation | Delete or anonymize personal data once you no longer need it for business or legal reasons |
| Transfer Limitation | Make sure overseas recipients provide protection comparable to the PDPA when you transfer data abroad |
| Data Breach Notification | Report notifiable breaches to the PDPC and affected individuals |
| Accountability Obligation | Build policies and practices that meet PDPA requirements, and be ready to demonstrate compliance |
Consent Framework
The PDPA recognizes different types of consent. Express consent comes from a clear, affirmative action by the individual. Deemed consent applies when someone voluntarily gives their data for a purpose they'd reasonably expect, or when you've completed a legitimate interest assessment.
The 2021 amendments widened deemed consent. Now it also covers situations where another organization has already obtained consent that covers your purpose. You can also rely on exceptions for business improvement and research under the amended Act.
Data Breach Notification Requirements
- A breach is notifiable if it causes or is likely to cause significant harm to affected individuals, OR if it involves 500 or more people:
- Notify the PDPC within 3 calendar days of determining the breach is notifiable
- Notify affected individuals as soon as practicable if the breach is likely to cause significant harm
- You have up to 30 calendar days from discovering the breach to decide whether it is notifiable
- Notifications must describe the breach, the data types involved, what you've done to fix it, and how to contact you
- Document every breach, even the ones that don't meet the notification threshold
Implementation Checklist
- Appoint a Data Protection Officer and publish their business contact details
- Write and publish a data protection policy that your customers and staff can access
- Run a full data inventory and map how data flows through your organization
- Update your consent practices to match the expanded deemed consent framework
- Build a breach response plan with clear roles, assessment criteria, and notification templates
- Set up processes to handle access and correction requests within 30 business days
- Review your data retention schedules and implement secure disposal procedures
- Assess cross-border transfers and put contractual protections in place where needed
- Train all employees who handle personal data at least once a year
- Document your legitimate interest assessments wherever you rely on deemed consent
- Implement reasonable security measures including encryption, access controls, and monitoring
Enforcement and Penalties
The PDPC can fine you up to $1 million SGD or 10% of your annual turnover in Singapore, whichever is higher, if your turnover exceeds $10 million SGD. They can also order you to stop collecting, using, or disclosing data. They can force you to destroy data. And they publish enforcement decisions on their website, which means your breach becomes public reading material.
Those published decisions are actually useful. They show you exactly what the PDPC expects and where other organizations have slipped up. Read them. Learn from their mistakes.
Frequently asked questions
It applies to all private sector organizations that collect, use, or disclose personal data in Singapore. Public agencies follow separate rules. Individuals acting in a personal or domestic capacity are exempt, as are employees acting in the course of their employment.
Yes. Every organization covered by the PDPA must designate at least one Data Protection Officer. You need to publish their business contact details. The DPO can be an existing employee wearing multiple hats. It doesn't have to be a dedicated full-time role.
Significant harm covers physical harm, harassment, reputational damage, financial loss, identity theft, and other serious effects. The PDPC looks at the data type and sensitivity, the number of people affected, and whether the data has fallen into the hands of someone likely to misuse it.
You can transfer personal data overseas if the receiving country offers comparable protection. You can achieve this through contractual clauses, binding corporate rules, or by showing the destination has data protection laws similar to the PDPA. The PDPC publishes model contractual clauses you can use.
The 2021 amendments introduced a legitimate interest exception within deemed consent. You can process data without express consent if a legitimate interest assessment shows your benefit or the public benefit outweighs any adverse effect on the individual. Document your assessment. The PDPC can review it.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.